Home Malware Programs Malware Norman

Norman

Posted: August 15, 2019

Norman is a miner Trojan that uses runs XMRig without the user's consent for generating the Monero cryptocurrency. Its campaign is compromising vulnerable business networks and includes substantial anti-detection and network-traversing support through additional tools. After removing Norman with a reputable anti-malware product, users should change passwords that could be at risk from any related security breaches.

Norman Doesn't Want to Say Hello

With Trojans like the EternalBlue-abusing Smominru, the backdoor-opening Plurox, or the new Norman, XMRig is becoming the miner 'du jour' for any criminals happily collecting Monero finances with others' hardware. While many aspects of the Norman campaign remain similarly generic, once one isolates it from its 'vanilla' components, the Trojan offers bold, new flavors of black hat programming. It places an unusual emphasis in obfuscation and self-defense against being detected, either by sight or automated security tools.

The initial discovery of Norman occurred during an analysis of an undisclosed, mid-size company's breached servers, which found it alongside password-collecting spyware, PHP-based shells for delivering attack commands, and, of course, the ubiquitous XMRig. Although Norman lacks any self-distributing features of its own, the threat actor is, likely, dropping it manually, with the assistance of the shell utilities or other hacking methods. Meanwhile, XMRig is a favorite among mining Trojans for its low-weight, CPU-based feature set.

However, Norman shows other characteristics that are somewhat out of line for a traditional mining Trojan. Malware researchers point out the use of NSIS during the executable's compilation, self-injection, and .NET-based triple obfuscation as some of its more potent defenses against detection. It also carries a failsafe against users double-checking their memory processes – it monitors Task Manager and stops the mining routine temporarily while the memory-monitoring application is open.

Uninviting the Shyest Trojan from the Party

Some of Norman's compilation and commentary data suggests that its threat actor is a native French speaker. To counterbalance this fact, however, readers should be aware that malware analysts find no evidence of Norman's using language settings as part of its victim-filtering system or geo-targeting specific nationalities more than others. Most cryptocurrency-mining Trojans will target victims with weak security, such as businesses using default password settings or outdated infrastructure.

Depending on its XMRig configuration, Norman may abuse hardware until it fails, or the Trojan may run its mining activities indefinitely and without any performance-related symptoms. Victims should respond to Norman infections as being a security breach of similar urgency to that of a RAT or backdoor Trojan, which would grant an attacker remote control over the system and potential network-traversing routes. Disabling Internet connectivity and, with it, Norman's C&C connection is, therefore, a necessity.

Symptoms of Norman infections may not always be present. Windows users can, and should, apply any updates for their anti-malware solutions before scanning for and removing Norman, along with any related threats (such as Mimikatz, a commonly-used password collector).

Norman's attacks aren't of much note, but the degree to which its author protects them is laudable, for a criminal programmer. Trojans putting extra effort into hiding require a corresponding exertion from network administrators, and the cyber-security industry as a whole, to combat.

Related Posts

Loading...